Method and apparatus for dynamic provisioning of an access control policy in a controller hub
A method and apparatus for dynamic provisioning of an access control policy in an input/output (I/O) controller hub are described. In one embodiment, the method includes the establishment of a control channel during evaluation stages of a network access request. In one embodiment, the control channel enables resource enumeration of a hardware platform while disabling data read/write processing of the hardware platform. Once resource enumeration is completed, conditional control settings for each enumerated platform resource are sent to a network policy decision point. Once transmitted, if the conditional control settings identify the hardware platform as having a non-compliant configuration, conditional control settings for at least one enumerated resource of the hardware platform are modified according to a received access control policy to provide compliance of the hardware platform configuration to enable network access. Other embodiments are described and claimed.
Latest Patents:
One or more embodiments relate generally to the field of integrated circuit and computer system design. More particularly, one or more of the embodiments relate to a method and apparatus for dynamic provisioning of an access control policy in a controller hub.
BACKGROUNDSecuring corporate networks from attack has become evermore essential as networking has evolved to support both wired and wireless access. For example, global corporations may support thousands of employees and contractors all over the world, resulting in workers and contractors that are mobile and unwired. As a result, network access for such employees depends more and more upon wireless local area networks (LANs) and wide area networks (WLANs), as well as virtual private networks (VPN) for remote access. Unfortunately, each of these technologies creates the potential to expose a network perimeter to threats.
Such threats from malware (e.g., computer viruses, Trojan horses, worms) continue to grow, which provides every increasing challenges to network administrators to provide network security. Current detection techniques are generally reactive and are designed to react to known malware that has been spread. That is, when malware is discovered, identifying characteristics are used to identify future instructions of the malware. Applying this detection technique to a network may allow the spread of malware under some conditions.
In spite of the threats posed by such malware, current network access control (NAC) architectures are typically limited to static roll designations that usually correspond to a particular class of device (e.g., access requests or common policy enforcement point, access server, policy decision point). Furthermore, the definition of network boundaries is implicitly defined by topology of devices acting as policy enforcement points.
BRIEF DESCRIPTION OF THE DRAWINGSThe various embodiments of the present invention are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which:
A method and apparatus for dynamic provisioning of an access control policy in an input/output (I/O) controller hub are described. In one embodiment, the method includes the establishment of a control channel during evaluation stages of a network access request. In one embodiment, the control channel enables resource enumeration of a hardware platform while disabling data read/write processing of the hardware platform. Once resource enumeration is completed, conditional control settings for each enumerated platform resource are sent to a network policy decision point. Once transmitted, if the conditional control settings identify the hardware platform as having a non-compliant configuration, conditional control settings for at least one enumerated resource of the hardware platform are modified according to a received access control policy to provide compliance of the hardware platform configuration to enable network access.
In the following description, certain terminology is used to discuss features of the present invention. For example, a “platform” includes any product that performs operations for subsequent analysis and verification of the platform's boot process. Examples of the platform include, but are not limited or restricted to a computer (e.g., desktop, a laptop, a server, a workstation, a personal digital assistant or other hand-held, etc.); communication equipment (e.g., wireless handset, facsimile, etc.); a television set-top box and the like. A “link” is broadly defined as one or more information-carrying mediums such as electrical wire, optical fiber, cable, trace, or even a wireless channel using infrared, radio frequency (RF), or any other wireless signaling mechanism.
In addition, the term “information” is defined as one or more bits of data, address, and/or control. A “software module” includes code that, when executed, performs a certain function. Examples of a software module include an application, an applet, or even a series of code instructions, possibly a subset of code from an applet, acting as a lesser sized software module.
Representatively, graphics block 118 hard drive devices (HDD) 114 and main memory 112 may be coupled to chipset 110. In one embodiment, chipset 110 is configured to include a memory controller hub (MCH) and/or an input/output (I/O) controller hub (MCH) to communicate with I/O devices 116 (116-1, . . . , 116-N). In an alternate embodiment, chipset 110 is or may be configured to incorporate graphics block 118 and operate as a graphics memory controller hub (GMCH). As described herein, a “controller hub” may refer to a chipset, an MCH, an ICH, GMCH or other like hardware configuration having one or more attached input/output (I/O) devices.
In one embodiment, main memory 112 may include, but is not limited to, random access memory (RAM), dynamic RAM (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), double data rate (DDR) SDRAM (DDR-SDRAM), Rambus DRAM (RDRAM) or any device capable of supporting high-speed buffering of data. Client platform further includes firmware hub (FWH) 280, which may include a basic input/output system (BIOS) 282, which is modified to perform, in addition to initialization of client platform, initialization of ACL 200 to enable dynamic provisioning of an access control policy within, for example, chipset 110, according to one embodiment.
As further illustrated in
In one embodiment, such platform configuration status may include information regarding attached busses, point-to-point links (“interconnects”), peripheral devices, controllers or other like resources of chipset 110, collectively referred to herein as “enumerated platform resources.” In one embodiment, the network access request requires a report from ACL 200, which includes a status bit for each enumerated platform resource of chipset 110. In one embodiment, the status bit indicates whether the enumerated platform resource is enabled/disabled for system use. In response to such platform configuration status information, PDP 250 may evaluate such platform status configuration and compare it to an enterprise policy for properly configured clients in terms of supported peripherals, busses and interconnects.
Accordingly, in one embodiment, ACL 200 combines network access control (NAC) technology with, for example, chipset switching capabilities resulting in the ability for enterprise information technology (IT) personnel to provision a peripheral oriented access control policy as part of a network access request. In other words, such enterprise IT personnel may program a network access PDP 250 to ensure that one or more enumerated platform resources of a requesting client configuration are disabled prior to access to the network 122. Disabling of such devices may be required according to an enterprise IT policy to secure network 122 from threats, such as malware (e.g., computer vices, Trojan horses, worms).
Details regarding ACL 200 and network access PDP 250 are illustrated according to one embodiment in
In accordance with a TCG Specification entitled “Main Specification Version 1.2b,” published on or around Apr. 28, 2004, each personal computer (PC) is implemented with a trusted hardware device referred to as a Trusted Platform Module (TPM). The proposed behavior of a TCG enabled device requires roots of trust or components that must be trusted because misbehavior of such components may not be detected. As defined by the TCG, there are commonly three roots of trust in a trusted platform: a root of trust for measurement (RTM), a root of trust for storage (RTS) and a root of trust for reporting (RTR). The root of trust for storage, or RTS, protects keys and data entrusted to the TPM. The RTS manages a small amount of volatile memory where keys are held while performing signing and decryption operations. Inactive keys may be encrypted and moved off-chip to make room for other more active keys. Representatively, client platform 100 may include TPM 260 integrated on chipset 110.
In one embodiment, ACL 200, in response to a request for platform configuration status, may use report logic 232 to provide platform configuration status regarding the configuration of attached controllers, peripherals, resources, devices busses and interconnects to chipset 110, as shown in
As described herein, the evaluation stages of the network access request may refer to the point at which the client platform issues the network connectivity request until such time that the network connection request is granted by PDP 250, for example, as shown in
In one embodiment, the report logic 232 may generate platform configuration status, which includes a status bit for each enumerated platform resource of client platform 100. In one embodiment, the status bit to indicate whether the enumerated platform resource is enabled/disabled for a system use. Accordingly, in one embodiment, such status bits, which may be referred to herein as “access bits,” may refer to one or more bits associated with each attached peripheral device, resource or bus (enumerated platform resources).
Accordingly, in one embodiment, associated with each enumerated platform resource of client platform 100 are one or more bits describing whether the device may send transactions (transmit (tx) bits) and one or more bits to determine if the enumerated platform resource may receive transactions or transmissions (receive (rx) bits). In one embodiment, a set of access bits (tx/rx) may be assigned for the group of devices assigned to a controller. In addition, sets of access bits may be assigned to individual devices. In one embodiment, the group access bits take precedence when access is denied by the group bits. When access is allowed by the group access bits, the device specific bits are applicable.
In one embodiment, a manageability processor (MP), for example, as shown in
In one embodiment, PDP 250 may identify client platform 100 as having non-compliant configuration status and construct an access control policy in terms of access bits that satisfy the policy. Accordingly, in one embodiment, as described herein, an access control policy may refer to the setting of the various access bits 244 (
Referring again to
In one embodiment, a manageability engine (ME) may poll (or trigger controller polling) of a bus to discover configuration changes where bus logic does not generate control events. Accordingly, in one embodiment, in response to receipt of an I/O filter rule as part of an access control policy, I/O filter logic 252 may direct conditional control logic 240 to modify the various access bits 244, such that conditional control logic 240 may disable at least one enumerated platform resource of client platform 100 to comply with the received access control policy.
In one embodiment, enforcement of various access control policies may require participation of run-time environments, such as operating system (OS) drivers, active management technology (AMT) manageability engines (ME) (AMT-ME), AMT processors (AMT-P), input/output (I/O) devices, or, for example, an I/O controller hub (ICH), depending upon implementation choices. In one embodiment, the I/O filter rules may be implemented as a state machine for each peripheral device, individually or collectively, for all the devices attached to a bus. Accordingly, in one embodiment, conditional control logic 240 may include a state machine to direct, for example, an I/O controller hub (ICH) to enable/disable the various devices for use within client platform 100. Accordingly, in one embodiment, I/O filter rules are used to program access bits 244.
In one embodiment, more sophisticated I/O filters may be used to process data portions of bus traffic to identify and clean malicious content (e.g., viruses, worms). In this manner, a comprehensive antivirus scan can be applied, even when a source device is not a storage device. Accordingly, in one embodiment, chipset 110 may include mandatory access control for implementing one or more filters to process data portions of bus traffic to identify and clean malicious content. In one embodiment, platform configuration status reports of I/O filters and enumerated platform resources (“platform configuration status”) are protected by one or more trusted platform modules (TPM), where a hash of the configuration state may be extended into platform configuration registers (PCR) and made available for later use (such as, reporting to a PDP).
A “cryptographic operation” is an operation performed for additional data security. For example, one type of cryptographic operation involves digital signing information to produce a digital signature. This digital signing operation may be in accordance with Digital Signature Algorithm (DSA). Another type of cryptographic operation involves hashing, namely a one-way conversion of information to a fixed-length representation. Often, this representation, referred to as a “hash value” or an “identifier”, is substantially less in size than the original information. It is contemplated that, in some cases, a 1: 1 conversion of the original information may be performed.
As shown below, a hash value of “X” may be represented as “Hash(X)”. Of course, it is contemplated that such information may be stored within external memory 180 of platform 100 in lieu of flash memory 266. The cryptographic information may be encrypted, especially if stored outside TPM 260. As further illustrated, TPM 260 includes platform configuration registers (PCR) 264, which may be used to store, for example, platform metrics to perform a PCR binding between data protected by TPM 260 and/or a platform configuration status (PCS) 265 that is required before PDP 250 (
In one embodiment, as shown in
In one embodiment, BIOS logic may be implemented using an EFI firmware interface to provide, for example, an operating system (OS) of client platform 100 access to firmware components including a system abstraction layer (SAL) and a processor abstraction layer (PAL) are collectively referred to herein as “IPF firmware.” According to IPF firmware, SAL is the firmware layer that isolates an operating system and higher level software from implementation differences in the platform. Conversely, PAL provides a consistent software interface to access the processor resources across different processor implementations and encapsulates all processor mode specific hardware.
Accordingly, SAL, which is similar to a basic input/output system (BIOS) may, during boot-up of client platform 100, interact with an OS to load portions of the operating system into memory. Accordingly, SAL may be responsible for performing the functionality of PIM 282 to launch ACLIC 290. Accordingly, during the boot-up of client platform 100, SAL is responsible for performing tests, initialization and loading of the first level of the operating system loader 289. As part of this process, the SAL would load ACLIC 290 to enable dynamic provisioning of an access control policy within a controller hub, according to one embodiment.
In one embodiment, AMT-ME 370 may receive I/O filter rules and apply the various I/O filter rules to the ICH 326 to modify access bits 244. However, in alternative embodiments, application of the access control policy may be implemented using various techniques for exploiting the native control capabilities of a device or bus. In particular, the AMT-ME 370, in one embodiment, may refer to access bits 244 stored in system memory 312 to control device interactions as part of servicing I/O requests, such that any I/O requests from disabled devices are ignored.
Although illustrated to include manageability processor 370, in one embodiment, manageability processor 370 may be incorporated within ACL logic 200, as shown in
In the embodiment illustrated in
In one embodiment, ME 370 may be directed to issue a signal to ICH 326 to enable network access if PDP 250 detects a compliant configuration. In a further embodiment, when an access control policy including at least one I/O filter is transmitted to ME 370 based on a non-compliant client platform configuration, ME 370 may be responsible for setting access bits 344 based on one or more received I/O filter rules. Based on such setting of access bits, conditional control logic of ACL would either enable or disable the various enumerated platform resources to conform client platform configuration to a compliant platform 300 to enable network access. Procedural methods for implementing one or more of the embodiments are now described.
Operation
Turning now to
In addition, embodiments are not described with reference to any particular programming language. It will be appreciated that a variety of programming languages may be used to implement embodiments of the invention as described herein. Furthermore, it is common in the art to speak of software, in one form or another (e.g., program, procedure, process, application, etc.), as taking an action or causing a result. Such expressions are merely a shorthand way of saying that execution of the software by a computing device causes the device to perform an action or produce a result.
Referring again to
Referring again to
Accordingly, at process block 420, the report is provided to the PDP via, for example, as described by the IEEE Std. 802.1X-2001. Accordingly, in one embodiment, as shown at process block 420, the client platform returns platform configuration status information, including a list of each enumerated platform resource and access bits regarding whether such enumerated platform resource is enabled/disabled for system use. At process block 430, the policy decision point evaluates the report and compares it to an IT policy.
In one embodiment, for example, as shown in
Accordingly, in one embodiment, the access control policy generated by the PDP, for example, such as PDP 250 as shown in
In response to receipt of the access control policy, at process block 442, a client manageability engine installs the at least one I/O filter of the received access control policy. For example, as shown in
Referring again to
In one embodiment, the signaling from the client manageability engine to the controller hub is performed during the evaluation stages of the network access request issued by the client platform at process block 402. As described above, the creation of a control channel, for example, using control channel logic 234 (
Accordingly, in contrast to conventional devices, which relay on bus enumeration to poll bus controllers for a signal indicating presence, enumerated platform resources, as shown in
Accordingly, using ACL logic 200, for example as shown in
In any representation of the design, the data may be stored in any form of a machine readable medium. An optical or electrical wave 560 modulated or otherwise generated to transport such information, a memory 550 or a magnetic or optical storage 540, such as a disk, may be the machine readable medium. Any of these mediums may, carry the design information. The term “carry” (e.g., a machine readable medium carrying information) thus covers information stored on a storage device or information encoded or modulated into or onto a carrier wave. The set of bits describing the design or a particular of the design are (when embodied in a machine readable medium, such as a carrier or storage medium) an article that may be sealed in and out of itself, or used by others for further design or fabrication.
Alternate EmbodimentsIt will be appreciated that, for other embodiments, a different system configuration may be used. For example, while the system 100 includes a single CPU 102, for other embodiments, a symmetric multiprocessor system (SMP) (where one or more processors or processor cores may be similar in configuration and operation to the CPU 102 described above) may benefit from the dynamic provisioning of an access control policy to a controller hub of various embodiments. Further different type of system or different type of computer system such as, for example, a server, a workstation, a desktop computer system, a gaming system, an embedded computer system, a blade server, etc., may be used for other embodiments.
Elements of embodiments may also be provided as an article of manufacture including a machine-readable medium for storing the machine-executable instructions. The machine-readable medium may include, but is not limited to, flash memory, optical disks, compact disks-read only memory (CD-ROM), digital versatile/video disks (DVD) ROM, random access memory (RAM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), magnetic or optical cards, propagation media or other type of machine-readable media suitable for storing electronic instructions. For example, embodiments described may be downloaded as a computer program which may be transferred from a remote computer (e.g., a server) to a requesting computer (e.g., a client) by way of data signals embodied in a carrier wave or other propagation medium via a communication link (e.g., a modem or network connection).
It should be appreciated that reference throughout this specification to “one embodiment” or “an embodiment” means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Therefore, it is emphasized and should be appreciated that two or more references to “an embodiment” or “one embodiment” or “an alternative embodiment” in various portions of this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures or characteristics may be combined as suitable in one or more embodiments of the invention.
In the above detailed description of various embodiments, reference is made to the accompanying drawings, which form a part hereof, and in which are shown by way of illustration, and not of limitation, specific embodiments in which the invention may be practiced. In the drawings, like numerals describe substantially similar components throughout the several views. The embodiments illustrated are described in sufficient detail to enable those skilled in to the art to practice the teachings disclosed herein. Other embodiments may be utilized and derived therefrom, such that structural and logical substitutions and changes may be made without departing from the scope of this disclosure. The following detailed description, therefore, is not to be taken in a limiting sense, and the scope of various embodiments is defined only by the appended claims, along with the full range of equivalents to which such claims are entitled.
Having disclosed embodiments and the best mode, modifications and variations may be made to the disclosed embodiments while remaining within the scope of the embodiments as defined by the following claims.
Claims
1. A method comprising:
- providing, to a network policy decision point, conditional control settings for each enumerated resource of a hardware platform as a platform configuration status; and
- modifying the conditional control settings for at least one enumerated resource of the hardware platform according to a received access control policy if the platform configuration status is identified as a non-compliant configuration.
2. The method of claim 1, wherein prior to providing the conditional control settings, the method further comprises:
- issuing a network access request;
- receiving, from the network policy decision point, a request for a network authentication control (NAC) report; and
- generating a configuration report including a status bit for each enumerated platform resource, the status bit to indicate, for the respective enumerated platform resource, whether the enumerated platform resource is enabled/disabled for use by the hardware platform.
3. The method of claim 2, wherein receiving the request for the network access control report further comprises:
- establishing a control channel to enable resource enumeration of each controller and device attached to the hardware platform; and
- disabling each of the controllers and devices attached to the hardware platform during evaluation stages of the network access request to restrict traffic on the control channel to polling packets to enable the resource enumeration.
4. The method of claim 2, wherein generating the configuration report further comprises:
- polling the hardware platform for bus controllers and attached devices to perform enumeration of bus controllers and attached devices of the hardware platform; and
- establishing, during the polling of the platform, a control channel to restrict traffic over the control channel to polling packets.
5. The method of claim 1, wherein modifying the conditional control settings comprises:
- selecting at least one input/output (I/O) filter from the received access control policy;
- setting a status bit of at least one enumerated platform resource to enable/disable the respective platform resource according to the I/O filter to convert the platform configuration status to a compliant configuration; and
- enabling the hardware platform to access the network.
6. The method of claim 1, further comprising:
- receiving network access if the platform configuration status is identified as a compliant configuration; and
- signaling an input/output (I/O) controller hub to enable read/write access of enumerated platform resources that are enabled according to a respective status bit.
7. A method comprising:
- evaluating, by a policy network decision point, received conditional control settings of each enumerated resource of a hardware platform to determine compliance of a hardware platform configuration with an enterprise policy for properly configured clients according to supported peripheral devices, busses and interconnects;
- generating an access control policy to enable/disable at least one enumerated hardware platform resource if the hardware platform configuration is identified as non-compliant; and
- transmitting the access control policy to the hardware platform.
8. The method of claim 7, wherein prior to evaluating the received conditional control settings, the method further comprises:
- receiving a client request for a network connection; and
- requesting a network access control report regarding a client platform hardware configuration status.
9. The method of claim 7, wherein generating the access control policy further comprises:
- generating at least one input/output (I/O) filter, the I/O filter including conditional control setting for at least one enumerated platform resource of a client platform to enable the client platform to modify the conditional control settings of the at least one enumerated platform resource to provide compliance with the access control policy.
10. An article of manufacture having a machine accessible medium including associated data, wherein the data, when executed, results in the machine performing:
- establishing, during evaluation stages of a network access request, a control channel to enable resource enumeration of a hardware platform while disabling data read/write processing of the hardware platform;
- transmitting conditional control settings to a network policy decision point for each enumerated resource of the hardware platform; and
- modifying conditional control settings for at least one enumerated resource of the hardware platform according to a received access control policy if the conditional control settings identify that hardware platform as having a non-compliant configuration.
11. The article of manufacture of claim 10, wherein the machine readable medium further comprises data, which when accessed, results in the machine further performing:
- enabling read/write access of the hardware platform once the conditional control settings for the at least one enumerated resource is modified.
12. The article of manufacture of claim 10, wherein the machine readable medium further comprises data, which when accessed, results in the machine further performing:
- generating a hash value of a platform configuration status according to conditional control settings for each enumerated platform resource of the hardware platform; and
- storing the hash value within platform configuration registers protected by a trusted platform module.
13. An apparatus comprising:
- a controller to provide conditional control settings for each enumerated controller resource of the controller as a controller configuration status and to modify the conditional control settings for at least one enumerated controller resource according to a received access control policy if the controller configuration status is identified as a non-compliant configuration.
14. The apparatus of claim 13, further comprising:
- a manageability processor, the manageability processor to issue a network access request to a network and to receive at least one input/output (I/O) filter as part of the received access control policy, the I/O filter to provide at least one conditional control setting to disable at least one enumerated controller resource to provide compliance with the access control policy.
15. The apparatus of claim 15, wherein the controller further comprises:
- conditional control logic, the conditional control logic to enable/disable enumerated controller resources according to at least one access bit of each enumerated controller resource.
16. The apparatus of claim 13, wherein the controller is further to establish a control channel to enable resource enumeration of each bus controller and device attached to the controller and to disable each of the bus controllers and attached devices of the controller during evaluation stages of a network access request to restrict traffic on the control channel to polling packets to enable the resource enumeration.
17. The apparatus of claim 13, wherein the controller comprises:
- an I/O controller hub coupled to a memory controller hub, the memory controller hub including a manageability processor, the manageability processor to issue a network access request to a network and to receive at least one input/output (I/O) filter as part of the received access control policy.
18. A system comprising:
- a dynamic random access memory (DRAM) to store a controller configuration status of a second controller;
- a chipset, the chipset including a first controller coupled to the DRAM, the first controller including a client manageability processor to issue a network access request and to receive an access control policy from a policy decision point of a network if the controller configuration status of the second controller is identified as a non-compliant configuration by the policy decision point; and
- the second controller coupled to the first controller, the second controller to provide conditional control settings for each enumerated resource coupled to the second controller as the controller configuration status and to modify conditional control settings for at least one enumerated resources according to the access control policy received by the manageability processor of the first controller.
19. The system of claim 18, wherein the first controller comprises a memory controller hub coupled to a memory, the memory to store the conditional control settings for each enumerated resource coupled to the second controller.
20. The system of claim 18, wherein the second controller comprises an I/O controller hub.
21. The system of claim 18, wherein the second controller comprises conditional control logic, the conditional control logic to enable/disable each enumerated resource coupled to the second controller according to a respective access bit associated with the enumerated resource.
22. The system of claim 18, wherein the second controller comprises control channel logic, the control channel logic to establish a control channel to enable resource enumeration of each bus controller and device attached to the second controller and to disable each of the bus controllers and devices attached to the second controller during evaluation stages of the network access request to restrict traffic on the control channel to polling packets to enable the resource enumeration.
23. The system of claim 18, wherein the client manageability processor is to signal the second controller to enable read/write access of the bus controllers and attached devices of the second controller once the conditional control settings of the at least one enumerated resources coupled to the second controller is modified to provide compliance of the controller configuration status to the access control policy.
International Classification: G06F 15/177 (20060101);